Android applications downloaded by as many as 185 million users can expose end users' online banking and social networking credentials, e-mail and instant-messaging contents because the programs use inadequate encryption protections, computer scientists have found.

The researchers identified 41 applications in Google's Play Market that leaked sensitive data as it traveled between handsets running the Ice Cream Sandwich version of Android and webservers for banks and other online services. By connecting the devices to a local area network that used a variety of well-known exploits, some of them available online, the scientists were able to defeat the secure sockets layer and transport layer security protocols implemented by the apps. Their research paper didn't identify the programs, except to say they have been downloaded from 39.5 million and 185 million times, based on Google statistics.

"We could gather bank account information, payment credentials for PayPal, American Express and others," the researchers, from Germany's Leibniz University of Hannover and Philipps University of Marburg, wrote. "Furthermore, Facebook, email and cloud storage credentials and messages were leaked, access to IP cameras was gained and control channels for apps and remote servers could be subverted." Other exposed data included the contents of e-mails and instant messages.

A Google spokesman declined to comment. There was no evidence any of the vulnerable apps were developed by Google employees, although the researchers said there are steps Google engineers could take to better ensure Android apps implement the encryption more securely.

"All things said, it's generally good research that should make developers more aware of these basic security deficiencies that shouldn't have made it through any respectable QA process," Jon Oberheide, CTO of mobile firm Duo Security, told Ars. "Needless to say, security isn't top of mind of most mobile developers."

The scientists began their research by downloading 13,500 free apps from Google Play and subjecting them to a "static analysis." Those tests checked whether the SSL implementations of the apps were potentially vulnerable to "man-in-the-middle" exploits, in which attackers are able to monitor or tamper with communications flowing over public Wi-Fi hotspots or other unsecured networks. The results identified 1,074 apps, or eight percent of the sample, that contained "SSL specific code that either accepts all certificates or all hostnames for a certificate and thus are potentially vulnerable to MITM attacks."

From the list of the 1,074 potentially vulnerable apps, the researchers picked 100 of them to subject to a manual audit that connected them to a network that used an SSL proxy to test whether the SSL implemented in the devices could be defeated. In some cases, the apps accepted SSL certificates that were signed by the researchers rather than a valid certificate authority. In others, the accepted certificates authorized a domain name other than the one the app was accessing. In still other cases, the apps were defeated by attacks including SSLstrip, which researcher Moxie Marlinspike demonstrated in 2009. Some apps also accepted certificates signed by authorities that are no longer valid. (It appears the Android operating system gives end users a means to manually disable various CAs.)

Example of vulnerabilities included:

An anti-virus app that accepted invalid certificates when validating the connection supplying new malware signatures. By exploiting that trust, the researchers were able to feed the app their own malicious signature.

An app with an install base of 1 million to 5 million users that was billed as a "simple and secure" way to upload and download cloud-based data that exposed login credentials. The leakage was the result of a "broken SSL channel."

A client app for a popular Web 2.0 site with up to 1 million users, which appears to be offered by a third-party developer. It leaked Facebook and Google credentials when logging in to those sites.

A "very popular cross-platform messaging service" with an install base of 10 million to 50 million users exposed telephone numbers from the address book.

While the researchers didn't identify the vulnerable apps, descriptions such as a "generic online banking app" suggest that most if not all of them were offered by third-party developers rather than the websites or services they connected to. Readers who are concerned their apps are vulnerable should start their inquiry by looking at those that are developed by outside firms.

Locking down Android

The paper lists a variety of ways SSL protection can be improved on the Android platform. One is for the type of static analysis they performed to be done at the time a user is installing an app. Another is to use a technique known as certificate pinning, which makes it much harder for an app or browser to accept fraudulent certificates like the ones used in the study. The researchers also recommended Google engineers develop new ways for Android to make it clear when the connection provided by various apps is encrypted and when it's not. Google may be equipping Android phones with their own malware scanner, recent reports indicate.

The paper made no attempt to measure the security provided by apps available for Apple's competing iOS platform. One possible reason the researchers focused on Android apps exclusively is that the openness of the Google platform made it easier to perform static analysis. That, in turn, made it possible to zero in on the apps with SSL implementations that exposed sensitive user data. It would be interesting to see the results of a similar analysis performed on the 13,000 most popular iPhone apps.